From d0068ca383ac1129df543d7898e58f036c82d8ec Mon Sep 17 00:00:00 2001
From: Anton Gilgur <agilgur5@gmail.com>
Date: Sun, 16 Apr 2023 16:07:35 -0400
Subject: [PATCH 1/2] docs(release): add improved security of `metrics-server`
 note to 1.19
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- I had brought attention to this issue and mentioned the lack of
  security details in the release notes in the PR for
  cc41bba0cfab519ceba3a486600c1f7c76529f31
  - was requested to submit a PR for this note as well, finally got to
    pushing this up 😅
  - this is good encouragement to switch to the `metrics-server` add-on
    as it provides better security over a self-install
---
 docs/releases/1.19-NOTES.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/releases/1.19-NOTES.md b/docs/releases/1.19-NOTES.md
index 9c1a065eae1ba..28ea4cd18aee6 100644
--- a/docs/releases/1.19-NOTES.md
+++ b/docs/releases/1.19-NOTES.md
@@ -72,6 +72,7 @@ has been updated by a newer version of kOps unless it is given the `--allow-kops
 ### Addons
 
 * Metrics Server is now available as a configurable addon. Add `spec.metricsServer.enabled: true` to the cluster spec to enable.
+  * This new addon is **more secure** than installing directly via the `metrics-server` Helm chart as kOps automatically provisions and sets TLS certs, avoiding the need to use the `--kubelet-insecure-tls` flag. See [#6879](https://github.com/kubernetes/kops/issues/6879) for more details.
 
 * Cluster Autoscaler is now availalble as a configurable addon. Add `spec.clusterAutoscaler.enabled: true` to the cluster spec to enable.
 

From 9ab5c4e09281d3278ae15c028e9eb1f5c5dd94f9 Mon Sep 17 00:00:00 2001
From: Anton Gilgur <agilgur5@gmail.com>
Date: Sun, 16 Apr 2023 16:22:31 -0400
Subject: [PATCH 2/2] correct the nuances of the note, I misremembered /
 misread my own previous comments

- using the configurable add-on is not necessary per se, can remove
  `--kubelet-insecure-tls` from _any_ installation of `metrics-server`,
  including one via its Helm chart
---
 docs/releases/1.19-NOTES.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/releases/1.19-NOTES.md b/docs/releases/1.19-NOTES.md
index 28ea4cd18aee6..ae92f78e41012 100644
--- a/docs/releases/1.19-NOTES.md
+++ b/docs/releases/1.19-NOTES.md
@@ -72,7 +72,7 @@ has been updated by a newer version of kOps unless it is given the `--allow-kops
 ### Addons
 
 * Metrics Server is now available as a configurable addon. Add `spec.metricsServer.enabled: true` to the cluster spec to enable.
-  * This new addon is **more secure** than installing directly via the `metrics-server` Helm chart as kOps automatically provisions and sets TLS certs, avoiding the need to use the `--kubelet-insecure-tls` flag. See [#6879](https://github.com/kubernetes/kops/issues/6879) for more details.
+  * With this change, one no longer has to set the `--kubelet-insecure-tls` flag, making any `metrics-server` installation **more secure**. See [#6879](https://github.com/kubernetes/kops/issues/6879) for more details.
 
 * Cluster Autoscaler is now availalble as a configurable addon. Add `spec.clusterAutoscaler.enabled: true` to the cluster spec to enable.